Does This Scare You?

Chris Angelico rosuav at gmail.com
Mon Aug 22 08:39:05 EDT 2016 

On Mon, Aug 22, 2016 at 9:50 PM, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
> On 2016-08-22, Chris Angelico <rosuav at gmail.com> wrote:
>> On Mon, Aug 22, 2016 at 8:33 PM, Jon Ribbens <jon+usenet at unequivocal.eu> wrote:
>>> On 2016-08-22, Steve D'Aprano <steve+python at pearwood.info> wrote:
>>>> On Mon, 22 Aug 2016 10:38 am, eryk sun wrote:
>>>>> To me it's scary that this check misses cases because it's trying to
>>>>> be cross-platform instead of simply relying on GetFullPathName to do
>>>>> the work. For example, it misses at least the following cases:
>>>>
>>>> Instead of shaking in your boots over a simple bug in a non-critical
>>>> library, how about reporting these cases on the bug tracker with an
>>>> explanation of the problem?
>>>
>>> That seems a rather unnecessarily harsh response.
>>> Also, it's not "non-critical", this is a security bug.
>>
>> Explain how?
>
> I don't know what purpose you are envisaging this function being used
> for, but the only one I can think of is input sanitisation. e.g. a web
> form where you receive a file from the Internet and store it somewhere,
> and you want to use the filename given to you rather than choose your
> own randomly-generated one.
>
> Under Unix all you need to do is check for the filename starting with
> "." or containing "/." (or "/", depending on your requirements).
> Under Windows you would use this function, which apparently doesn't
> work, hence: security hole.

Nope. On Windows, you would try/except it. There are myriad other ways
something could fail, and the only correct action is to attempt it.
Most of the reserved names will simply give an error; the only way
you'd actually get incorrect behaviour is if the file name, including
extension, is exactly a device name. (Caveat: My knowledge of Windows
is rusty and my testing just now was cursory. I could be wrong.) So
you can check for a few exact strings... or just slap some extra text
onto the beginning or end of the file name (beginning meaning "after
the last slash", not the beginning of the file *path*) and you're
safe.

ChrisA

More information about the Python-list mailing list